Using SCOM to Detect Overpass the Hash Attacks

An overpass the hash attack is another flavor of a pass the hash type attack except that the attacker is passing a key instead of an NTLM hash.  As such, it is technically a kerberos based attack.  This type of attack is useful once an environment is already compromised as the key needed for the…

0

Using SCOM to Detect WDigest Enumeration

In a recent conversation with fellow colleague Jessica Payne, it was noted that one of the most common forms of credential theft presently involves using exposed Wdigest credentials.  Wdigest, while not commonly used today, is still enabled by default in large part because of legacy applications that use it. While this was fine back in…

0

Using SCOM to Detect Pass the Ticket Attacks

  Last month, I wrote a two part series on using SCOM to detect pass the hash attacks. I’ve decided to take some time and focus on pass the ticket attacks. There isn’t a whole lot different between the two attack methods.  Both require administrative rights on the machine (and let’s face it, that is…

2

SCOM 2012 and 2016 WebConsole and FIPS Compatibility

Update:  I had the opportunity to test this on SCOM 2016 and the same procedure works. Also, I’ve uploaded GAC util as well as the SCOM DLL here as they are not on the SCOM 2016 DVD either.  You can find them here. Previous Article: _________ As a quick overview, FIPS stands for Federal Information…

0